search

penguin-statistics / backend-next

The refactored Penguin Statistics v3 Backend. Built with Go, fiber, bun and go.uber.org/fx. Uses NATS as MQ and Redis as state synchronization.
MIT License
171 stars 19 forks source link

fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.5 [security] #532

Open renovate[bot] opened 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/gofiber/fiber/v2 v2.50.0 -> v2.52.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-25124

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

Impact

The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.

Proof of Concept

The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.

Potential Solution

Here is a potential solution to ensure the CORS configuration is secure:

func New(config ...Config) fiber.Handler {
    if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
        panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
    }
    // Return new handler goes below
}

The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.

Workarounds

For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.

References

MDN Web Docs on CORS Errors CodeQL on CORS Misconfiguration PortSwigger on Exploiting CORS Misconfigurations WhatWG CORS protocol and credentials

CVE-2024-38513

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.

Impact

The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.

Patches

The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.

Workarounds

Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:

  1. Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
  2. Session Management: Regularly rotate session IDs and enforce strict session expiration policies.

References

For more information on session best practices:

Users are encouraged to review these references and take immediate action to secure their applications.

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2) ### [`v2.52.5`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.5) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.4...v2.52.5) ##### ๐Ÿ‘ฎ Security
Middleware/session: Session Middleware Token Injection Vulnerability - GHSA-98j2-3j3p-fw2v https://docs.gofiber.io/api/middleware/session
##### ๐Ÿงน Updates - Middleware/session: Remove extra release and aquire ctx calls in session_test.go ([#​3043](https://togithub.com/gofiber/fiber/issues/3043)) ##### ๐Ÿ› Bug Fixes - Middleware/monitor: middleware reporting of CPU usage ([#​2984](https://togithub.com/gofiber/fiber/issues/2984)) - Middleware/session: mutex for thread safety ([#​3050](https://togithub.com/gofiber/fiber/issues/3050)) ##### ๐Ÿ“š Documentation - Improve ctx.Locals method description and example ([#​3030](https://togithub.com/gofiber/fiber/issues/3030)) - Improve ctx.Locals method documentation ([#​3033](https://togithub.com/gofiber/fiber/issues/3033)) - Update README_id.md ([#​3045](https://togithub.com/gofiber/fiber/issues/3045)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.52.4...v2.52.5 Thank you [@​nyufeng](https://togithub.com/nyufeng), [@​PaulTitto](https://togithub.com/PaulTitto) and [@​sixcolors](https://togithub.com/sixcolors) for making this update possible. ### [`v2.52.4`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.4) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.3...v2.52.4) ### ๐Ÿ› Fixes - Middleware/cors: CORS handling by [@​sixcolors](https://togithub.com/sixcolors) in [https://github.com/gofiber/fiber/pull/2937](https://togithub.com/gofiber/fiber/pull/2937) - Middleware/cors: Vary header handling non-cors OPTIONS requests by [@​sixcolors](https://togithub.com/sixcolors) in [https://github.com/gofiber/fiber/pull/2939](https://togithub.com/gofiber/fiber/pull/2939) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.52.3...v2.52.4 ### [`v2.52.3`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.3) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.2...v2.52.3) #### ๐Ÿ› Fixes - Middleware/cors: Handling and wildcard subdomain matching by [@​sixcolors](https://togithub.com/sixcolors) in [https://github.com/gofiber/fiber/pull/2915](https://togithub.com/gofiber/fiber/pull/2915) - Middleware/cors: Categorize requests correctly by [@​sixcolors](https://togithub.com/sixcolors) in [https://github.com/gofiber/fiber/pull/2921](https://togithub.com/gofiber/fiber/pull/2921) - Middleware/csrf: Fix Benchmark Tests by [@​sixcolors](https://togithub.com/sixcolors) in [https://github.com/gofiber/fiber/pull/2932](https://togithub.com/gofiber/fiber/pull/2932) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.52.2...v2.52.3 ### [`v2.52.2`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.2) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.1...v2.52.2) #### ๐Ÿ› Fixes - Middleware/cors: Validation of multiple Origins ([https://github.com/gofiber/fiber/pull/2883](https://togithub.com/gofiber/fiber/pull/2883)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.52.1...v2.52.2 ### [`v2.52.1`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.1) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.0...v2.52.1) #### ๐Ÿ‘ฎ Security
Middleware/cors: Insecure CORS Configuration Allowing Wildcard Origin with Credentials - GHSA-fmg4-x8pw-hjhg https://docs.gofiber.io/api/middleware/cors
#### ๐Ÿ› Fixes - Middleware/healthcheck: Not working with route group([#​2863](https://togithub.com/gofiber/fiber/issues/2863)) #### ๐Ÿ“š Documentation - Fix default value to false in docs of QueryBool ([#​2811](https://togithub.com/gofiber/fiber/issues/2811)) - Fix code snippet indentation in /docs/api/middleware/keyauth.md ([#​2867](https://togithub.com/gofiber/fiber/issues/2867)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.52.0...v2.52.1 Thank you [@​luk3skyw4lker](https://togithub.com/luk3skyw4lker), [@​CAEL0](https://togithub.com/CAEL0), [@​grivera64](https://togithub.com/grivera64), [@​gaby](https://togithub.com/gaby) and [@​sixcolors](https://togithub.com/sixcolors) for making this update possible. ### [`v2.52.0`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.0) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.51.0...v2.52.0) #### ๐Ÿš€ New - Middleware/healthcheck: Add liveness and readiness checks ([#​2509](https://togithub.com/gofiber/fiber/issues/2509)) https://docs.gofiber.io/api/middleware/healthcheck ```go // Direct usage with default config app.Use(healthcheck.New()) // Or extend your config for customization app.Use(healthcheck.New(healthcheck.Config{ LivenessEndpoint: "/live", LivenessProbe: func(c *fiber.Ctx) bool { return true }, ReadinessEndpoint: "/ready", ReadinessProbe: func(c *fiber.Ctx) bool { return serviceA.Ready() && serviceB.Ready() && ... }, })) ``` #### ๐Ÿงน Updates - Middlewares: don't constrain middlewares context-keys to strings ([#​2751](https://togithub.com/gofiber/fiber/issues/2751)) - Middleware/logger: colorize logger error message [#​2593](https://togithub.com/gofiber/fiber/issues/2593) ([#​2773](https://togithub.com/gofiber/fiber/issues/2773)) - Middleware/logger: changing default log output ([#​2730](https://togithub.com/gofiber/fiber/issues/2730)) - Middleware/logger: log client IP address by default ([#​2755](https://togithub.com/gofiber/fiber/issues/2755)) - Middleware/encryptcookie: update default config ([#​2753](https://togithub.com/gofiber/fiber/issues/2753)) - Improve benchmarks for getOffer ([#​2739](https://togithub.com/gofiber/fiber/issues/2739)) #### ๐Ÿ› ๏ธ Maintenance - Bump github/codeql-action from 2 to 3 ([#​2763](https://togithub.com/gofiber/fiber/issues/2763)) - Bump github.com/google/uuid from 1.4.0 to 1.5.0 ([#​2762](https://togithub.com/gofiber/fiber/issues/2762)) - Bump actions/setup-go from 4 to 5 ([#​2754](https://togithub.com/gofiber/fiber/issues/2754)) - Bump golang.org/x/sys from 0.14.0 to 0.15.0 ([#​2744](https://togithub.com/gofiber/fiber/issues/2744)) - Bump github.com/valyala/fasthttp from 1.50.0 to 1.51.0 ([#​2721](https://togithub.com/gofiber/fiber/issues/2721)) #### ๐Ÿ› Fixes - Middleware/redirect : fix for redirect with query params ([#​2748](https://togithub.com/gofiber/fiber/issues/2748)) - Middleware/adaptor: Adaptor + otelfiber issue [#​2641](https://togithub.com/gofiber/fiber/issues/2641) ([#​2772](https://togithub.com/gofiber/fiber/issues/2772)) - Middleware/cors: Should use the defined AllowedOriginsFunc config when AllowedOrigins is empty ([#​2771](https://togithub.com/gofiber/fiber/issues/2771)) - Middleware/session: Race in session middleware tests ([#​2740](https://togithub.com/gofiber/fiber/issues/2740)) - Middleware/csrf: Fix failing CSRF tests ([#​2720](https://togithub.com/gofiber/fiber/issues/2720)) - Fix race condition in parallel tests ([#​2734](https://togithub.com/gofiber/fiber/issues/2734)) - utils.IsIPv4 and net.ParseIP have inconsistent results [#​2735](https://togithub.com/gofiber/fiber/issues/2735) ([#​2736](https://togithub.com/gofiber/fiber/issues/2736)) #### ๐Ÿ“š Documentation - Middleware/csrf: Improve csrf docs ([#​2726](https://togithub.com/gofiber/fiber/issues/2726)) - Update app.md for indentation ([#​2761](https://togithub.com/gofiber/fiber/issues/2761)) - Update default config ([#​2753](https://togithub.com/gofiber/fiber/issues/2753)) - Update CONTRIBUTING.md ([#​2752](https://togithub.com/gofiber/fiber/issues/2752)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.51.0...v2.52.0 Thank you [@​MehmetFiratKomurcu](https://togithub.com/MehmetFiratKomurcu), [@​benjajaja](https://togithub.com/benjajaja), [@​brunodmartins](https://togithub.com/brunodmartins), [@​gilwo](https://togithub.com/gilwo), [@​iredmail](https://togithub.com/iredmail), [@​itswcg](https://togithub.com/itswcg), [@​luk3skyw4lker](https://togithub.com/luk3skyw4lker), [@​muhammadkholidb](https://togithub.com/muhammadkholidb), [@​nickajacks1](https://togithub.com/nickajacks1), [@​sixcolors](https://togithub.com/sixcolors) and [@​tokelo-12](https://togithub.com/tokelo-12) for making this update possible. ### [`v2.51.0`](https://togithub.com/gofiber/fiber/releases/tag/v2.51.0) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.50.0...v2.51.0) #### ๐Ÿš€ New - Add support for parameters in content negotiation ([#​2678](https://togithub.com/gofiber/fiber/issues/2678)) [RFC](https://www.rfc-editor.org/rfc/rfc9110#name-parameters) https://docs.gofiber.io/api/ctx#accepts ```go // Consideration of parameters in the accepted headers // Accept: text/plain, application/json; version=1; foo=bar app.Get("/", func(c *fiber.Ctx) error { // Extra parameters in the accept are ignored c.Accepts("text/plain;format=flowed") // "text/plain;format=flowed" // An offer must contain all parameters present in the Accept type c.Accepts("application/json") // "" // Parameter order and capitalization does not matter. Quotes on values are stripped. c.Accepts(`application/json;foo="bar";VERSION=1`) // "application/json;foo="bar";VERSION=1" }) ``` - Add support for application/problem+json ([#​2704](https://togithub.com/gofiber/fiber/issues/2704)) https://docs.gofiber.io/api/ctx#json https://docs.gofiber.io/api/client#json ```go // Passing a custom json type ctx.JSON(fiber.Map{ "type": "https://example.com/probs/out-of-credit", "title": "You do not have enough credit.", "status": 403, "detail": "Your current balance is 30, but that costs 50.", "instance": "/account/12345/msgs/abc", }, fiber.) ``` #### ๐Ÿงน Updates - Ctx.Range: reduce allocations ([#​2705](https://togithub.com/gofiber/fiber/issues/2705)) - Middleware/pprof: improve performance ([#​2709](https://togithub.com/gofiber/fiber/issues/2709)) #### ๐Ÿ› ๏ธ Maintenance - Bump golang.org/x/sys from 0.13.0 to 0.14.0 ([#​2707](https://togithub.com/gofiber/fiber/issues/2707)) - Bump github.com/google/uuid from 1.3.1 to 1.4.0 ([#​2693](https://togithub.com/gofiber/fiber/issues/2693)) - Bump actions/setup-node from 3 to 4 ([#​2690](https://togithub.com/gofiber/fiber/issues/2690)) - Bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 ([#​2679](https://togithub.com/gofiber/fiber/issues/2679)) #### ๐Ÿ› Fixes - Middleware/limiter: fix intermittent failures ([#​2716](https://togithub.com/gofiber/fiber/issues/2716)) - Naming of routes works wrong after mount [#​2688](https://togithub.com/gofiber/fiber/issues/2688) ([#​2689](https://togithub.com/gofiber/fiber/issues/2689)) - Fix method validation on route naming ([#​2686](https://togithub.com/gofiber/fiber/issues/2686)) #### ๐Ÿ“š Documentation - Changed "Twitter" to "X (Twitter)" in README.md Contribute Section ([#​2696](https://togithub.com/gofiber/fiber/issues/2696)) - Add additional information as to why GetReqHeaders returns a map where the values are slices of strings ([#​2698](https://togithub.com/gofiber/fiber/issues/2698)) - Enhance csrf.md ([#​2692](https://togithub.com/gofiber/fiber/issues/2692)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.50.0...v2.51.0 Thank you [@​BandhiyaHardik](https://togithub.com/BandhiyaHardik), [@​database64128](https://togithub.com/database64128), [@​efectn](https://togithub.com/efectn), [@​moritz157](https://togithub.com/moritz157), [@​nickajacks1](https://togithub.com/nickajacks1), [@​rhburt](https://togithub.com/rhburt) and [@​sixcolors](https://togithub.com/sixcolors) for making this update possible.

Configuration

๐Ÿ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] commented 1 month ago

โ„น Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

Details:

Package Change
github.com/google/uuid v1.3.1 -> v1.5.0
github.com/mattn/go-isatty v0.0.19 -> v0.0.20
github.com/valyala/fasthttp v1.50.0 -> v1.51.0
golang.org/x/sys v0.13.0 -> v0.15.0